Sovrin Network Self-Sovereign Identity
Expectations are changing for Identity and Access Management. Users demand control over their personal information, and enterprises need to fundamentally rethink their relationship to personal customer data in the wake of GDPR and CCPA. Self-Sovereign Identity (SSI) from the Sovrin Network allows enterprises to streamline their collection of identity information, sign-on options for customers and employees, and move to a digitally-based identity verification system.
Digital Transformation has shifted most customer, B2B, and peer interactions to a digital setting. While the technological capabilities of companies have expanded to facilitate this, the treatment of identity has not yet been optimized to fit customer habits in the Digital Transformation. The typical user has nearly 200 separate online accounts, which almost guarantees that a user will compromise their security by repeating usernames and passwords. But at a more fundamental level, the relationship between online service providers, users, and identity information is imbalanced. The current standard for Identity and Access Management (IAM) makes enterprises the holder of Personally Identifiable Information (PII) and other critical identity information, and the user trusts that the enterprise treats their private data with respect. It is not advantageous for enterprises nor users to manage identity and access information in this way. This is the result of societal expectations of the company-customer relationship being reshaped; companies are given the heavy responsibility of managing private data properly, and consumers are increasingly demanding control of their personal data. Responding to these market pressures, a new era of identity is likely to begin.
Self-sovereign identity (SSI) is an identity philosophy that offers a solution to the above issues. It is named after its own mission: to return autonomous control of identity information back to the individual user. SSI is one of the several terms for this concept that is taking hold: blockchain identity, decentralized identity, and portable digital identity are among the most popular, although these terms still contain limitations when describing SSI; a decentralized identity scheme may exist that doesn’t involve the individual or give them control of their identity. A critical aspect of SSI is that it supports a change in how identity is treated by companies, users, and depending on the scope of the solution even government entities. Any solution that promises SSI control should have an action plan for implementing an interoperable, open protocol that establishes the foundation for identity transactions within a single enterprise, or within a wider ecosystem.
Blockchain is a common architectural component of SSI solutions. Blockchain provides an underlying “trustless” foundation for the exchange of identity credentials. It is able to be this foundation because of its inherent strengths as a distributed ledger, where each transaction is digitally signed by the original parties, written to the blockchain with a digital hash, and participating nodes accept the new block of transactions via a consensus mechanism which isreplicated on every participating node. The consensus mechanism, usually customized for each protocol, prevents falsified transactions from being written to the blockchain or previous transactions from being altered.
Decentralized Public Key Infrastructure (DPKI) is often a central part of establishing a blockchain-based SSI. Instead of relying on centralized management of usernames and passwords as in traditional PKI, DPKI allows the individual to be the sole holder of a private key, and the public key is used by other parties to initiate transactions with the principal. While very secure, DPKI still presents usability challenges because there is no central support service to assist a principal who loses their private key, or if the private key were compromised.
In order to create an underlying infrastructure that can support an interoperable open protocol for SSI, the DPKI needs to be registered and communicated in a standard way without giving up the ownership of the registration to a third party. Decentralized Identifiers (DIDs), an emerging W3C standard plays a role in the DPKI for SSI.
Key challenges that drive the need for SSI are:
- Enterprise Pain Point: Regional regulation like GDPR and CCPA require enterprises to minimize the amount of PII data that is collected and held
- Enterprise Pain Point: The abundance of data and potential to harness data for process and marketing insights makes hoarding unnecessary data tempting
- Enterprise Pain Point: Although digital records are more convenient, identity is still primarily managed on paper; this causes inefficiencies and unreliability for enterprises
- Customer Pain Point: Typical username/password structure of their many digital identities is unmanageable unless security is compromised by reusing passwords
- Customer Pain Point: People do not control their identity information, It is held by companies and sometimes shared without their knowledge
Key regulatory, governance, and operational requirements that are associated with SSI are:
- Regulatory: GDPR compliance requires that all institutions protect PII data and a citizen’s right to be forgotten; blockchain best practice dictates that no PII data ever be written to the blockchain
- Governance: The philosophical demand for the ownership of data to be returned to the individual is causing societal expectations to shift, and the mass voice of users will likely have a strong effect on how widespread SSI solutions become
- Operational: Blockchain scalability remains an issue with public blockchains. Consensus mechanisms create a tradeoff of throughput and trust
The Sovrin Network offers a robust and promising solution to create a new relationship to digital identities for both enterprises and customers. Its open source blockchain protocol and integrations for enterprise usage make it a main player in the race for establishing SSI.